dridex | 8ac37fc17d40290bb1bd932383ca3b99da2cf2629b2dc3efddeecd8f8cfb5e13

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c488428598c8b77ae9a87c494467e416_JaffaCakes118.dll
Size

1.2MB
MD5

c488428598c8b77ae9a87c494467e416
SHA1

d6fd46cdbec1b0f3f6465c7f823b8f8f285a37b8
SHA256

8ac37fc17d40290bb1bd932383ca3b99da2cf2629b2dc3efddeecd8f8cfb5e13
SHA512

a3e5ac2a8ed73353150f762db6e052b350c00c86678e960ef16335dbca06b10be427c43d4c59f05349c0fe30b65749d28e7b2b5feb5c1bfad128474f2a41e96d
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NYt:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3348-4-0x0000000003560000-0x0000000003561000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Magnify.exemspaint.exeprintfilterpipelinesvc.exe

pid	Process
1668	Magnify.exe
2400	mspaint.exe
2824	printfilterpipelinesvc.exe

Loads dropped DLL 5 IoCs

Processes:

Magnify.exemspaint.exeprintfilterpipelinesvc.exe

pid	Process
1668	Magnify.exe
2400	mspaint.exe
2824	printfilterpipelinesvc.exe
2824	printfilterpipelinesvc.exe
2824	printfilterpipelinesvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfaxdafbicozcso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-4182098368-2521458979-3782681353-1000\\eN9PdJ\\mspaint.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Magnify.exemspaint.exeprintfilterpipelinesvc.exerundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
3532	rundll32.exe
3532	rundll32.exe
3532	rundll32.exe
3532	rundll32.exe
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3348

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3348 wrote to memory of 2492	3348	94
PID 3348 wrote to memory of 2492	3348	94
PID 3348 wrote to memory of 1668	3348	95
PID 3348 wrote to memory of 1668	3348	95
PID 3348 wrote to memory of 2000	3348	96
PID 3348 wrote to memory of 2000	3348	96
PID 3348 wrote to memory of 2400	3348	97
PID 3348 wrote to memory of 2400	3348	97
PID 3348 wrote to memory of 764	3348	98
PID 3348 wrote to memory of 764	3348	98
PID 3348 wrote to memory of 2824	3348	99
PID 3348 wrote to memory of 2824	3348	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c488428598c8b77ae9a87c494467e416_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:2492

C:\Users\Admin\AppData\Local\A4rubw\Magnify.exe
C:\Users\Admin\AppData\Local\A4rubw\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1668

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:2000

C:\Users\Admin\AppData\Local\rOdizJ\mspaint.exe
C:\Users\Admin\AppData\Local\rOdizJ\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2400

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:764

C:\Users\Admin\AppData\Local\KGog\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\KGog\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\A4rubw\MAGNIFICATION.dll

Filesize
1.2MB

MD5
10772a6540495734fe454f63a524a3c6

SHA1
b7c091ec96cbae4179057bd2195d62e3a27e7539

SHA256
7a992c3eab02a547b88ce12319396c9de2ed629a01134fd77b261f3da1d76e0b

SHA512
28850fbe346824f2e4558e4f8bf5f05f7603a973c831b68fb90f16e3a80d1cbfdbee764565e18967df0cde018917135eb3e406770819100b2f7dc8e050091adc

Download Submit
C:\Users\Admin\AppData\Local\A4rubw\Magnify.exe

Filesize
639KB

MD5
4029890c147e3b4c6f41dfb5f9834d42

SHA1
10d08b3f6dabe8171ca2dd52e5737e3402951c75

SHA256
57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

SHA512
dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

Download Submit
C:\Users\Admin\AppData\Local\KGog\XmlLite.dll

Filesize
1.2MB

MD5
ec028cfb6ead020c2801f518a9f13ef7

SHA1
00e184283ac1c936ddc43251c41d333373a3225d

SHA256
7043044c37deaf04d1a3e1792a4167b69068cbfb8abd8a1aba37c7ab2c730341

SHA512
b2e73c44a196181a8dc3a6290b084db21d68697d2dcf55fdbc16040cc01ffc1c73cd170bf90973eb0ae07ecbd24a7f00c4e410301c2441120ac5a37fe03aa0f6

Download Submit
C:\Users\Admin\AppData\Local\KGog\printfilterpipelinesvc.exe

Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\rOdizJ\WINMM.dll

Filesize
1.2MB

MD5
b6c1d90a3657069e39f138fe9ad774f8

SHA1
71b3bdd3b0d4d88688212de58a88addfdbc8e0f3

SHA256
07610adac2f0f8613bdfed4b5b4c1ed26e6bd0b2ed9c3f8b967386310007716c

SHA512
05d08a77388e706e0ec2312898b15be3ef1a7e2cdcf85d5f72c08ca1fdf736a754fc185a04f7a68c2b2c83220ed859fb3345d826a23799f7837bd82fdbc4a0b1

Download Submit
C:\Users\Admin\AppData\Local\rOdizJ\mspaint.exe

Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk

Filesize
1KB

MD5
d659f47ce4d418dc0791ae0caa0e2b8f

SHA1
1e8a329f4274afbc1547494f2c46e08bb296d37a

SHA256
5556686f8668cd4a86dbc88ff04738801b9665089da863a5b59ebc3dc62fe2dd

SHA512
8acb1cf33612ed8362cd5d9ef5d715639cd4f7da45524f77514a99ec28b762d00bfe1b7d662d0aa3d9a3b080d76938141593b5e20ae64398423a3b7ad7da61a8

Download Submit
memory/1668-49-0x0000018082D20000-0x0000018082D27000-memory.dmp

Filesize
28KB

Download
memory/1668-46-0x00007FFA14690000-0x00007FFA147C2000-memory.dmp

Filesize
1.2MB

Download
memory/1668-52-0x00007FFA14690000-0x00007FFA147C2000-memory.dmp

Filesize
1.2MB

Download
memory/2400-68-0x00007FFA14630000-0x00007FFA14763000-memory.dmp

Filesize
1.2MB

Download
memory/2400-64-0x000001D015D00000-0x000001D015D07000-memory.dmp

Filesize
28KB

Download
memory/2400-65-0x00007FFA14630000-0x00007FFA14763000-memory.dmp

Filesize
1.2MB

Download
memory/2824-79-0x00007FFA141B0000-0x00007FFA142E2000-memory.dmp

Filesize
1.2MB

Download
memory/2824-84-0x00007FFA141B0000-0x00007FFA142E2000-memory.dmp

Filesize
1.2MB

Download
memory/3348-29-0x00000000015F0000-0x00000000015F7000-memory.dmp

Filesize
28KB

Download
memory/3348-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-6-0x00007FFA31C3A000-0x00007FFA31C3B000-memory.dmp

Filesize
4KB

Download
memory/3348-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-4-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/3348-30-0x00007FFA32F50000-0x00007FFA32F60000-memory.dmp

Filesize
64KB

Download
memory/3348-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3532-0-0x0000022D57380000-0x0000022D57387000-memory.dmp

Filesize
28KB

Download
memory/3532-39-0x00007FFA15860000-0x00007FFA15991000-memory.dmp

Filesize
1.2MB

Download
memory/3532-1-0x00007FFA15860000-0x00007FFA15991000-memory.dmp

Filesize
1.2MB

Download